CVE-2021-4120
HIGHsnapd < 2.54.3 - AppArmor Policy Rule Injection via Malformed Content Interface and Layout Declarations
Title source: llmDescription
snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
References (5)
Core 5
Core References
Patch, Vendor Advisory x_refsource_misc
https://ubuntu.com/security/notices/USN-5292-1
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://bugs.launchpad.net/snapd/+bug/1949368
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/02/18/2
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/
Scores
CVSS v3
8.2
EPSS
0.0009
EPSS Percentile
25.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (6)
canonical/snapd
< 2.54.2
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
20.04
canonical/ubuntu_linux
21.10
fedoraproject/fedora
34
fedoraproject/fedora
35
Published
Feb 17, 2022
Tracked Since
Feb 18, 2026